locked
ADFS 2 and sha-512 RRS feed

  • Question

  • Hi,

    Relying partner certificate is due to be replaced, they have changed their certificate from sha1 to sha 512. We run ADFS on Server 2008 R2, ADFS 2.0 I believe. Will sha-256 be compatible as the secure hash algorithm or will we need to upgrade to server 2012 R2 and do a migration?

    Saturday, September 24, 2016 5:49 AM

Answers

All replies

  • That will be fine. However, why are you still running ADFS 2? The upgrade path to ADFS on Windows Server 2012 R2 is pretty straightforward (it's a parallel run with almost no, or no interruption of service at all). See the following documentation: Migrating Active Directory Federation Services Role Service to Windows Server 2012 R2 https://technet.microsoft.com/en-us/library/dn486815(v=ws.11).aspx

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Sunday, September 25, 2016 8:40 PM
  • Hi Pierre,

    Thanks for your response, it is much appreciated and good to know the cert at least won't be a breaking change. Yeah looks like the migration should be relatively easy and we will put that in as a project to get done. :)

    If we don't have to rush things then we can look to go to 2016 version which would be nice.

    Thanks again.

    Tuesday, September 27, 2016 1:04 AM
  • Aaron,

    Has your RP done their cert update, and can you empirically confirm it works with ADFSv2? I'm searching for potential ADFS v2 (and v3) issues with sha512, as one of our RP's broke unexpectedly, and the only difference I can find is they updated their cert and it uses sha512.

    We happen to have ADFS v2 in production and v3 in pre-production, using the same name and accessible via client hosts file change. Both exhibit the same problem.

    I'll probably be starting a new thread shortly, but wanted to see if you've proven sha512 works.

    Cheers.

    Friday, October 21, 2016 5:06 PM
  • Hmm..I don't think this will work.. when evaluating the hashing algorithm for the RP trust, AD FS is expecting SHA-1 or SHA-256.

    http://blog.auth360.net

    Sunday, October 23, 2016 6:59 PM
  • Correct. I misread and thought that you meant SHA 256.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    Monday, October 24, 2016 2:38 AM
  • Hi Darin,

    Apologies for the delay just saw this, yes the change worked fine with their sha512 certificate in our ADFS 2.0 environment.

    Saturday, December 17, 2016 1:04 AM